OWasp GraphQL Cheat Sheet

Question 1

Common Attacks

What types of injection attacks are common?

Answer 1

SQL/NoSQL injection, OS command injection, SSRF, CRLF injection, and request smuggling.

Question 2

Common Attacks

What is an IDOR attack?

Answer 2

It’s abuse of broken authorization, granting improper or excessive access.

Question 3

Common Attacks

What are GraphQL-specific attacks?

Answer 3

Batching attacks and abuse of insecure default configurations.

Question 4

Input Validation

How does strict input validation help?

Answer 4

It prevents injection and DoS attacks by ensuring user input is safe before it’s used in HTTP requests, database queries, or other calls.

Question 5

Input Validation

What should incoming data be validated against?

Answer 5

A strict allow-list of valid values, avoiding deny-lists.

Question 6

Input Validation

How should invalid inputs be handled?

Answer 6

Gracefully reject them without revealing excessive information about API validation.

Question 7

Injection Prevention

What tools should be used to handle input meant for other interpreters (e.g., SQL, OS)?

Answer 7

Libraries offering safe APIs like parameterized statements or ORM/ODM tools, used correctly.

Question 8

Injection Prevention

What should be done if tools aren’t available?

Answer 8

Escape/encode input data using actively maintained libraries.

Question 9

DoS Prevention

What measures can limit GraphQL DoS attacks?

Answer 9

Depth and amount limiting for queries.

Adding pagination to responses.
Enforcing timeouts at the application or infrastructure level.
Implementing query cost analysis.

Question 10

DoS Prevention

What is the purpose of rate limiting?

Answer 10

To prevent a single user from spamming requests and degrading service performance.

Question 11

DoS Prevention

How can server-side batching and caching help?

Answer 11

It prevents duplicate data requests within a short time frame, improving efficiency.

Question 12

Query Limiting (Depth & Amount)

Why should query depth and amount be limited in GraphQL?

Answer 12

Unlimited depth or amounts can overwhelm the server, leading to DoS vulnerabilities.

Question 13

Query Limiting (Depth & Amount)

How can query limiting be implemented in GraphQL?

Answer 13

Using tools like graphql-depth-limit for JavaScript or MaxQueryDepthInstrumentation for Java.

Question 14

Timeouts

How do application-level timeouts help prevent DoS?

Answer 14

They limit the resources a single request can consume, stopping excessive queries mid-process.

Question 15

Timeouts

Why are infrastructure timeouts less effective?

Answer 15

They can be bypassed more easily and may activate too late.

Question 16

Rate Limiting

How can rate limiting be enforced?

Answer 16

Per IP or user basis, using a WAF, API gateway, or web server configuration like Nginx.

Question 17

Server-Side Practices

Why should resources like CPU and memory be limited for APIs?

Answer 17

To prevent excessive resource consumption that could lead to DoS attacks.

Question 18

Server-Side Practices

How can resource limits be enforced on Linux?

Answer 18

Use Control Groups (cgroups), User Limits (ulimits), and Linux Containers (LXC).

Question 19

Access Control

How can a GraphQL API ensure proper access control?

Answer 19

Validate the requester’s authorization to view or modify data using mechanisms like RBAC.

Question 20

Access Control

What issues are prevented by enforcing access control?

Answer 20

IDOR issues, including Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA).

Question 21

Access Control

Why should authorization checks be enforced on both edges and nodes?

Answer 21

To ensure all parts of the GraphQL schema are protected, preventing unauthorized access.

Question 22

Access Control

How can structured data types improve access control?

Answer 22

Use Interfaces and Unions to return object properties based on requester permissions.

Question 23

Access Control

What tools can be used to perform access control validation in resolvers?

Answer 23

Query and Mutation Resolvers, potentially integrated with RBAC middleware.

Question 24

Access Control

What should be disabled in production environments?

Answer 24

Introspection queries, GraphiQL, and other schema exploration tools.

Question 25

# General Data Access What mistake leads to Broken Object Level Authentication (IDOR)?

Answer 25

Assuming possession of an object’s ID means the caller has access to that object without proper verification.

Question 26

# General Data Access How can accidental access via node or nodes fields in GraphQL be prevented?

Answer 26

Check the schema for these fields and remove them if unintended, while applying authorization checks.

Question 27

# Query Access (Data Fetching) How can access to specific data fields be restricted?

Answer 27

Add checks to validate that the requester is authorized to fetch specific fields.

Question 28

# Mutation Access (Data Manipulation) Why is mutation access control important?

Answer 28

It ensures only authorized requesters can modify data or specific fields within the API.

Question 29

# Mutation Access (Data Manipulation) When is mutation access control especially necessary?

Answer 29

For APIs where only read access is intended or where modification rights are limited to specific parties.

Question 30

# Batching Attacks What is a batching attack in GraphQL?

Answer 30

A brute force attack that exploits GraphQL's ability to batch multiple queries or object requests in a single network call, making exploits faster and less detectable.

Question 31

# Batching Attacks How does batching enable enumeration?

Answer 31

Callers can request multiple objects (e.g., droids) in one request, enabling object enumeration with fewer network calls compared to REST APIs.

Question 32

# Batching Attacks What are potential issues caused by batching attacks?

Answer 32

Application-level DoS from excessive queries or requests. Enumeration of sensitive objects (users, emails, IDs). Brute-forcing passwords, OTPs, tokens, or other sensitive data. Bypassing rate limits and security tools like WAFs or IDS/IPS.

Question 33

# Mitigating Batching Attacks What are the main strategies to mitigate batching attacks?

Answer 33

Add object request rate limiting in code. Prevent batching for sensitive objects. Limit the number of queries that can run in one batch.

Question 34

# Mitigating Batching Attacks How can rate limiting help against batching attacks?

Answer 34

By tracking the number of object requests from a caller and blocking excessive requests, even within a single network call.

Question 35

# Mitigating Batching Attacks Why disable batching for sensitive objects?

Answer 35

To force attackers to make individual network calls, enabling standard controls like rate limiting to function effectively.

Question 36

# Mitigating Batching Attacks What is the purpose of limiting query operations in batching?

Answer 36

To reduce the risk of excessive queries and enhance overall security.

Question 37

# Secure Configurations What should GraphQL APIs in production avoid returning?

Answer 37

Excessive error messages, such as stack traces, and they should not be in debug mode.

Question 38

# Secure Configurations How can excessive errors be disabled in Apollo Server?

Answer 38

Pass debug: false to the Apollo Server constructor or set the NODE_ENV variable to 'production' or 'test.'

Question 39

# Introspection and GraphiQL Why should introspection and GraphiQL be disabled or restricted?

Answer 39

By default, these features allow consumers to learn details about your API, including schemas, mutations, and even private fields.

Question 40

# Introspection and GraphiQL When might disabling introspection be appropriate?

Answer 40

For internal APIs or when unauthorized users should not access API details.

Question 41

# Introspection and GraphiQL How can introspection be disabled in Java?

Answer 41

Use NoIntrospectionGraphqlFieldVisibility in the GraphQLSchema configuration.

Question 42

# Introspection and GraphiQL How can introspection and GraphiQL be disabled in JavaScript?

Answer 42

Use middleware with validation rules like NoIntrospection and disable GraphiQL in production.

Question 43

# Mis-Typed Fields Why disable field name suggestion if introspection is disabled?

Answer 43

It decreases exposure by preventing attackers from guessing field names.

Question 44

# Tools What is InQL Scanner?

Answer 44

A security scanner for GraphQL that can generate queries and mutations automatically from a given schema and feed them to the scanner.

Question 45

# Tools What is GraphiQL?

Answer 45

A tool for schema and object exploration in GraphQL environments.

Question 46

# Tools What is GraphQL Voyager?

Answer 46

Another tool for schema and object exploration, providing a visual overview of GraphQL schemas.